yuruguo opened a new issue #12419: URL: https://github.com/apache/pulsar/issues/12419
**Is your enhancement request related to a problem? Please describe.** The `role`(not super-user) that has the topic `produce` permission should also have the operation permission of the topic schema, for example, the `role` get topic schema through `./bin/pulsar-admin schemas get tenant1/ns1/tp1`. But I found that we first judge whether the `role` has access to the tenant of this topic, as below: https://github.com/apache/pulsar/blob/a455d06af19a30aae6edf56d0b6570b23973c48d/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/SchemasResource.java#L82-L91 https://github.com/apache/pulsar/blob/a455d06af19a30aae6edf56d0b6570b23973c48d/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/SchemasResourceBase.java#L87-L94 https://github.com/apache/pulsar/blob/a455d06af19a30aae6edf56d0b6570b23973c48d/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/SchemasResourceBase.java#L309-L312 `L311`'s effect is to `check the http client role has admin access to the specified tenant`. Since the `role` only has the authority to `produce` this topic, so it cannot be passed. I have doubts about the rationality of this judgment( call `L311`), and we should converge the scope of this judgment. **Describe the solution you'd like** Remove this judgment, and replace it with a judgment whether the `role` has the `produce` permission for this topic, as below: ``` private void validateDestinationAndAdminOperation(boolean authoritative) { try { // validateAdminAccessForTenant(topicName.getTenant()); validateTopicOwnership(topicName, authoritative); validateTopicOperation(topicName, TopicOperation.PRODUCE); ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
